The following Fedora EPEL 5 Security updates need testing: Age URL 836 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3849 sblim-sfcb-1.3.8-2.el5 479 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-edbea40516 mcollective-2.8.4-1.el5 450 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-582c8075e6 thttpd-2.25b-24.el5 61 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce45574ab6 libbsd-0.8.3-2.el5 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-90b2cbfdaf openssl101e-1.0.1e-10.el5 The following builds have been pushed to Fedora EPEL 5 updates-testing openssl101e-1.0.1e-10.el5 Details about builds: ================================================================================ openssl101e-1.0.1e-10.el5 (FEDORA-EPEL-2017-90b2cbfdaf) A general purpose cryptography library with TLS implementation -------------------------------------------------------------------------------- Update Information: OpenSSL ======= Security Fixes -------------- * An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. (CVE-2017-3731) * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610) * The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys. (CVE-2016-7056) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS https://bugzilla.redhat.com/show_bug.cgi?id=1384743 [ 2 ] Bug #1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read https://bugzilla.redhat.com/show_bug.cgi?id=1416852 [ 3 ] Bug #1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery https://bugzilla.redhat.com/show_bug.cgi?id=1412120 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
